2 Answers
2

You should learn to use the "openssl" command-line tool (available for Windows, Linux, Mac OS X, etc.).

Type on the command line: (where mycert is your certificate)

openssl x509 -text -in mycert

This decodes all the fields in the certificate, and will list any restrictions.

No, it doesn't have to be RSA. You can select Diffie-Helmman instead when you create your certificate.

There are a wide variety of certificate uses. For example, you might want a certificate that can sign other certificates for the domain, so that you don't need to buy individual certificates from a CA, but can create them yourself.

Not all certificates use RSA, but most do. A few months ago, I scanned a lot of random IP addresses to find SSL servers, and out of 10147 certificate chains (from 16027 servers -- there is considerable chain reuse), only 9 of them used anything else than RSA (6 with DSA keys, 3 with GOST keys; no Diffie-Hellman, no ECDSA). This is more than market dominance; RSA has an almost monopoly on cryptographic algorithms for SSL servers.

(I should write a Web page somewhere with all the stats.)

Apart from the Key Usage extension, a few other extensions can be relevant; see this answer for details.